Okay. Good afternoon or as I like to say good morning. Welcome. I'm here to talk about privacy
and connected vehicles. First of all, a little bit about who I am. I have an electrical engineering
degree and I decided that that worked as a network engineer, decided that got boring.
So I went to law school because that's where all the really interesting problems lie.
Standard disclaimer. I'm not a lawyer. I don't give legal advice yet. But and here's
my nonstandard disclaimer. I was contracted to work on this and I did sign an NDA in relation
to that work. However, that was only about 20 hours of work total. So there's not a lot
that ‑‑ not a lot to not disclose. Okay. This project. I'm going to talk about
is dedicated short‑range communications. A lot of people should know what this is by
now but it's unfortunately still pretty opaque. The Senate committee, subcommittee on communications
technology and the Internet sure is aware of it and they're really excited about this
being the panacea that solves the wireless spectrum problem that they anticipate. It's
going to be a lot of work. I'm going to be focusing on one channel which is for dedicated
safety communications. The idea is that vehicles communicate to other vehicles and they also
communicate with the infrastructure. It would be pretty nice if 380 meters out they detected
you were approaching a red light in the middle of the night and so you never ever had to
stop because there was never any cross traffic.
The idea of infrastructure efficiency is pretty cool. And my question is will it maintain
privacy? I'm not convinced that the system as described and built will have enough protections
for personal privacy. I think it can. But I think it needs some very serious people
taking a very serious look at it.
There have been a few reviews like my review. It was a very small project. And not a lot
that's really convinced the automakers who are charging forward that they need to slow
down and consider the implications that this has on people.
The real reason that this technology is being pushed forward is safety. And it's really
dramatic. It's really dramatic. It's really dramatic. It's really dramatic. It's really dramatic. It's really dramatic. It's really dramatic. It's really dramatic.
It's really dramatic. It's really dramatic. It's really dramatic. It's really dramatic. The kind of safety expectations,
they just finished a large scale road test. And the kind of improvements they expect
to get, they're expecting 82% reduction in all automotive accidents. 82%, that's a really
dramatic number. It's revolutionizing driving. It's revolutionizing driving. And the problem
For example, in 2009, there were 5,000 deaths just from distracted driving alone.
That doesn't include drunk driving.
It doesn't include inattentive or emotionally distraught driving, which also causes a large number of accidents.
5,000 deaths in 2009 that were totally preventable.
The system would completely eliminate that type of or virtually eliminate that type of accident.
There are a lot of people who are working on this safety project.
As I mentioned before, there's a totally non-trivial effect on death.
25% of vehicle deaths each year can be prevented even without the system.
With the system.
We're going beyond.
We're talking about blind corners, dense fog, heavy rain situations.
The National Institute or the NTSB, National Transportation Safety Board, the wonderful people who brought us TSA,
they have recently called for a mandate because of two school bus accidents in the last month.
The bus.
Buses were, one of them, the bus driver was at fault.
He was on medication and he wasn't reacting as he should.
And he ran a red light and the bus got hit by a truck moving through the intersection.
And the other instance was a school bus was moving safely and there was a speeding truck that couldn't slow down in time to avoid hitting the school bus.
Two school buses, many school children died.
So, each of these different scenarios could have been prevented had the driver been warned that there was an imminent accident.
And with 380 meters communication range, that's the spec for the communication range.
It has the potential to extend out much further.
So, that's a lot of warning.
And that's a lot of ability to respond in an accident.
And then the next question that comes up.
Is this going to really happen?
And the answer is, yeah.
It's already out there.
Most automakers have plans.
Most high-end automakers have plans to include this in their 2014 model year cars.
The NTSB is talking about making a mandate for 2015 model year cars.
Meaning every car on the road starting in 2015 will have this.
AC Delta.
AC Delta is looking at aftermarket products.
Perhaps save you a little money on your insurance.
And bring more cars into the fold.
And then how soon?
As I said, 2014, 2015.
Very soon.
They've already run large-scale tests.
In Ann Arbor, Michigan, they got all the employees of a university in a hospital to put the aftermarket version in their car.
And they ran around.
They ran around for a year, and they measured what the density implications were, how it dealt with the infrastructure, and how cars dealt with each other.
They learned a lot of lessons, they came out with a new version, and they believe they're ready to move forward with this.
It's already, this sort of technology is already deployed in trucks in Europe.
In addition to the safety benefits, you're able to get more efficiency.
By allowing cars to move closer together.
Because as soon as somebody in front of you steps on the brakes, you know that, and so you can step on the brakes.
If you're particularly alert.
So you can get wind efficiencies as well as just density efficiencies for the highways.
So what is this?
I've been talking about it.
The basic safety message is the core of the protocol.
It's just a digital blob that's sent out once every tenth of a second.
It's a standard blob with predefined values, very much like a CAN bus message.
There's no header information.
It's not like ASN1 where you have the key value pairs.
It's just the data glob.
The idea is that the cars process the messages and warn the driver so that the driver actually gets to mitigate the information and interpret it as to what they should do initially.
Although the self-driving car people are really excited about this technology.
It's, they assured me that this wasn't an autonomous thing and that they would definitely deploy it for a few years and see how it worked before they started automating the system.
Yeah, this is what the aftermarket system looks like.
The idea is that it comes with its own sensors.
It comes, it was told to me that it would be a self-driving car.
It's a self-contained system that there would be no existing things on the system that would be potentially open for compromise.
And they were absolutely confident that they had developed the sensor systems well enough that they wouldn't have the concerns about coming between the sensor and the control unit.
I'm not sure that's necessarily the case.
It's not necessarily true.
But they feel that by moving away from the CAN bus architecture and into this quote sealed system, they can avoid a lot of the vulnerabilities that exist now.
So, DSRC is not CAN bus.
It is not the same technology at all.
This is a radio that communicates with other vehicles.
The idea that it has its own inertial sensors.
It has its own GPS positioning system as well as other positioning systems because they're very well aware that in large cities with tall buildings as well as in tunnels and canyons, it's sometimes very difficult to determine GPS location.
So, they need to have alternative ways and they're working through that as well.
It is not OnStar.
I've spoken with a lot of people who, how is this different from OnStar?
Well, this is a vehicle to vehicle.
All auto manufacturers will be running the same protocol.
And as I mentioned before, they're talking about a mandate.
So, this isn't a phone home situation.
This is a notification.
It will notify everybody in the vicinity.
Okay.
More technical details.
5.9 gigahertz spectrum.
The idea for that is the DOT owns the spectrum.
So, it's not used by anything else.
The DSRC is a channelized protocol.
Only one of the channels will be used for safety messages.
Okay.
Theoretically, this does not require source address for these transmissions of the safety information.
The source address was removed from the protocol in 2010 because of the privacy concerns.
Any time you have a uniquely identified vehicle, you have a uniquely identified vehicle.
And you have the problem of tracking.
So, they removed that from the protocol.
However, if you think about it, how do you route without a uniquely identifiable address?
How do you validate people?
They came up with the idea of certificates.
Where you have the fingerprint that's hard coded into each radio unit.
And the certificates are keyed to that fingerprint.
So, if you have a bad actor, the whole package of certificates are revoked by exposing the fingerprint.
Each layer of this, there are some real serious privacy challenges.
So, the basic safety message.
This is the glob that's sent out that's much like the CAN bus message.
The SAE has come up with a standard for it.
The idea is it has a lot of really interesting stuff.
I don't know if you can see that.
It's very small.
It has location, acceleration, the status of your braking system.
And each of these headers breaks down into two different individual values.
Like for the braking system, each individual brake reports.
Reports its status.
To include if your anti-lock braking system is engaged.
If your airbag is deployed.
Traction control, stability control.
There are some other interesting things like the message count.
But it also includes your size, your speed, your acceleration.
Your anticipated trajectory.
And your previous path.
In order for this to become effective.
You need to have density.
Because the benefit in a collision avoidance is not from your unit transmitting anything.
It's from the unit that you potentially hit transmitting their data.
So, you would need the more units, the more vehicles on the road that have this, the safer the road is.
So, the other side of the coin.
Is confidence.
If you don't believe that the messages you're getting in are accurate.
Then you'll ignore it.
With the.
And this is where hackers come in.
I was thinking about.
I'll get on to that later.
Here I would like to point out.
That privacy is particularly important.
Because if people don't trust it.
Then people will disable it.
And you wind up back with the first problem.
If I don't feel like it's keeping my information private.
Then I'm going to be disabling it.
If I can't go anywhere without everybody being able to track me.
So, in order to attack the validity problem.
They cryptographically signed all the certificates.
And these certificates are issued by a central authority.
I think that should be raising some alarm bells with some of you.
The question is, who is that authority?
There's been discussions.
Each automaker is its own authority.
There's a government authority that issues certificates, really.
There's public private partnerships.
All sorts of things.
And then the revocation.
And they plan on using a blacklist system.
The internet tried that, I think.
The idea is that the system, however, should invalidate itself.
If its sensor checks fail.
It shouldn't be transmitting bad information.
If its internal checks are not working.
They believe that they have a lot of information available for sensor validations.
But if they can't even control their own drones.
Who knows how that can go.
So, certificates.
The idea is that they're limited time use.
So that you can't be tracked by a unique identifier.
Because as soon as you use a certificate for a little while.
Then it's as easy to track you by that certificate.
As it would be by any other unique identifier.
The idea is that they're refreshed.
You use.
I've had discussions with people who are working on these radios.
How big should we make our memory to store these certificates?
And they were thinking on the order of three years.
And it occurred to me.
Three years to.
To renew your certificates.
Oh, and by the way.
You have to report the bad actors.
When you renew your certificates.
So if you're only reporting bad actors every three years.
And then you get the report back the next three years.
When you update this.
It becomes pretty clear that that's kind of a bad idea.
So, privacy.
Here we go.
Starting with the mac layer.
Starting at the very bottom.
The idea is that there's a changeable source or no source address in the protocol.
This is, this has been debated in the past.
Whether it does or doesn't have that source.
Really it will come down to the implementation.
Because anybody who's worked with closely with protocols understands that nobody implements a protocol.
Perfectly.
And so if the leading implementation winds up demanding a source address.
Then everybody has to use source addresses.
And this is a first to market problem.
Rather than a market penetration problem.
Because the first to market sets the standard.
I'm thinking of Hays compatible modems.
I know I used a lot of Hays compatible modems.
But I never used a Hays modem.
So, the idea that we have no source address means that any traffic to these devices would be unroutable.
This is an interesting thought considering we're talking about moving vehicles.
If you had only an address to like an infrastructure base station.
That would be great.
But the infrastructure base station would move out of range fairly quickly.
And you'd need some scheme to track that particular vehicle.
And which direction out of range it's gone.
And so on.
And you could come up with a pretty good tracking scheme.
Even if you avoided tracking individual vehicles.
So there's no initial privacy concern.
But the implementation and how they use it will create a problem.
So, coming back to the BSM that I showed you earlier.
Up there in the header elements, I just kind of grouped some like things.
They have this temporary ID field.
It is a specific field in the basic safety message itself.
Temporary, that sounds pretty good.
It's not a persistent identifier.
But depending on the application implementation, it could be.
Everybody's idea of temporary is somewhat different.
My idea of temporary is no longer than five minutes plus or minus three.
So I don't think everybody is on the same page.
So certificates.
They try to address the identity validity conflict.
You want to trust somebody.
But they don't want you to know who they are.
And it's something in infosec you deal with all the time.
Struggling between the authenticated user and the anonymous user.
If we have constantly changing certificates with unsteady shift, then that could help.
But once again, it depends on the implementation.
But the biggest issue is the issuing authority.
Who can control it.
Who knows what vehicle maps to what fingerprint maps to what certificate.
And what location they are.
There have been proposals that the units are shipped sealed and the fingerprint is not known to the auto maker.
So they can't map a VIN.
But then there have been proposals to the IETF.
That the VIN.
Be used as the fingerprint.
Which is a expose the VIN.
Expose the vehicle.
The whole vehicle can no longer use the system ever again.
If there's a problem.
And then you wind up in the aftermarket used vehicle sector.
Picking up radios just for the VIN.
So the fingerprint.
No correspondence.
I think I've covered all this.
So the delivery is the next challenge that I saw.
How to get the certificates to the vehicle.
Is there.
We don't currently have any mechanism to communicate that doesn't authenticate or uniquely identify both ends of the conversation.
And most include some trackable method.
I think cellular is the leading contender right now for certificate delivery.
Wireless or even using DSRC in band.
And that just really hurts my head to think that in band certificate delivery could happen.
There's just so many opportunities that that can fail.
So more worrisome noise is going on with this.
I mentioned that the safety.
Was only one channel on many channels of the DSRC spectrum.
The other channels.
There's a lot of applications.
They're talking about mesh networking routing.
Which would be fun.
Sharing MP3s with the other cars on the highway.
Is a big joke about that.
But the advertising is one that.
Particularly gets me.
Because that's not only a concern for people who bought a car and don't expect to be pummeled with advertising all the time.
But also we've I imagine discussed different ways that advertising can be used as malware delivery.
So what concerns me the most is this last one.
And I'm giving a talk tomorrow on data brokers.
But data brokers using this fixed infrastructure.
Giving it to you for free.
So they can collect all the data.
Maybe they're not collecting data on specific cars.
But which model cars go to which malls.
Which neighborhoods drive which types of cars.
There's a lot of rich information for data brokers in this system.
That cannot be overlooked.
Another problem with this system is law enforcement.
You're transmitting your speed every tenth of a second.
Even if you're the most conscientious driver.
Occasionally you will be transmitting a speed that is over the posted speed limit.
And there's really, there's published studies on this.
There's no way to get around that.
Downhill crosswinds.
Suddenly shifting wind directions can push you over the speed limit.
Can small law enforcement agencies start issuing tickets by mail?
That's not very bright.
It's possible to correlate location and speed.
And get a nice license plate reader to go along with the system.
So that when you pass through.
Their camera.
They can catch you.
That way.
It's very easy to de-anonymize this.
Even if you're transmitting anonymous signals.
Simply by using another method that law enforcement has at their disposal.
So I know if I got a speeding ticket in the mail.
I would disable this system.
I'm neither the most nor the least conscientious driver.
But I don't want to expose myself to that specific vulnerability and that expense.
So what can you do?
And this is kind of a call to action to all of you.
You're hackers.
You have an idea about how these things can be broken.
Probably even more than that.
The radios are commercially available.
CODA, C-O-H-D-A, is the leading manufacturer right now.
Cisco has an interest in them.
They just released a brand new unit that is designated as a reference design for production.
So that others can intertest with that.
Hack the protocols.
DSRC is out there, but mostly it's behind paywalls.
I've tried to get a couple of other people to really play with it and break it.
And all the documents are behind paywalls.
And become politically engaged.
The Senate knows what this is.
You guys should know what this is.
Every auto manufacturer knows what this is.
The administrative agencies, they're all totally on board with this.
Hackers need to be jumping in and making a difference here.
And more than anything else, that certificate authority needs to be hashed out.
If we're to maintain any privacy at all, there needs to be a separation between the government, the auto makers, and the users.
And all three of these need to have a stake in this decision.
And so that pretty much concludes my slide.
So I'd like to acknowledge a few people.
Professor Dorothy Glancy, she led me down this path.
Introduced me to a lot of people in DC650.
We kind of hammered this out.
And here's my contact information.
If you have questions, we have a microphone up here if you'd like to step forward.
.
.
There's a problem of false warnings.
And what would be the per vehicle cost of these new systems and how robust and the cost of maintenance of the system?
Does it break every 30 days?
But the cost of the system and how robust and also false warnings.
Okay.
False warnings.
There are three questions.
False warnings, the cost of the system, and maintenance.
Those are all three very good questions.
Every auto maker, of course, is going to have a different cost for their systems.
The idea of this being a sealed system suggests that it's not going to break down for at least two or three years.
Until your extended warranty is up.
But the idea is that it's supposed to be built very robust.
And the third question was.
Oh, false positives.
False positives is a really serious concern.
And much of my report to the auto makers involved the threat of the false positive.
And the threat of the false report.
And there are a couple of other really, really obvious basic things.
You can't cause collisions because there's a human involved.
But you can cause traffic slowdowns.
You can get people out of the way because you don't even have to tell them you're a police car.
You can just tell them you're speeding and you're going to hit them and they'll get out of the way.
So, yeah, there's a lot of concern there.
Okay.
I have a question about the message blobs.
So when looking at them, you said the source address is optional now.
And the ID.
The ID that's included is temporary.
How susceptible do you think they are to fingerprinting in general?
So, for example, your browser could be fingerprinted just by the sequence of fonts that are installed and things like that.
There are a couple of things.
Another issue in the glob of data is the size of the vehicle.
I'm fairly certain within a certain range you'll be able to identify manufacturer.
Beyond that, I'm not sure.
One of the things, you bring up another point.
One of the things that I think is very important to consider in privacy, you can get too far beyond where it's useful.
Facial recognition technology is involved in my eyeballs.
And we don't consider that an invasion of your privacy.
So if you have to be physically there.
If you can't deal with something as an automatic process, then it's not considered a significant threat to your privacy.
But as soon as the automatic processes come in, as soon as the people get taken out of the system or the person who's operating the radio frequency fingerprinting,
if you have to follow a car around to fingerprint or if you have to have careful spectrum analysis, I imagine you could do it at a mall parking lot.
Or something like that where you're looking at the vehicle.
But to identify a whole class of vehicles, you're not really narrowing it down to an individual so much.
So it's a concern.
It's not the biggest concern.
I guess that's where I'm going with that.
Thank you.
Thank you for bringing this up to this particular community.
You know I work for one of the agencies involved.
Yes.
Yes.
So there's a number of us trying to address some of the problems that you brought up.
Could you lower the microphone?
Sure.
How's that?
Yeah.
Okay.
So some of us have been looking at some of the problems you brought up.
And I'm glad you're bringing to this attention of this group.
If you don't mind, what I want to do is to let the group know about some of the data sets that we're making available from the Ann Arbor test.
Okay.
We might as well mention your TLA.
Yeah.
There's a web address.
I'm going to repeat this twice.
Okay.
It's www.its-rde.net.
One more time.
www.its-rde.net.
That is the research data exchange that Rita has set up for the Ann Arbor test bed.
All of the basic safety message that Christy talked about are available from that.
And we'd like to put up an informal chat.
We're a government agency, and we're under sequester right now, so we can't put any cash behind us.
I'm sorry, guys.
But we would like to challenge the community to take a look at that data set and see if
they are able to use that data set to identify any of the drivers without using social engineering.
Okay.
Just from the data set itself, we think we have a good design.
But you know what?
We're still in the prototype stage.
We would like as many holes punched into it.
We would like to do this as technically possible now so we can fix those.
Thank you again, Christy.
And he brings up a very important point.
The more we can hack on this right now, the better chance we have of not seeing faulty
units get installed in vehicles, because they're ready to roll.
And we need to stop them if they're breaking things.
Okay.
Do you know how they plan on switching the fingerprints?
So I ‑‑
I am ‑‑ or switching the certificates.
So I imagine a couple of problems with that.
Okay.
So if you switch it while you're driving, then you have that path history that would
probably stay the same across different certificates.
So then you could correlate them together.
If you only do that for a single run of the car, then you know where they start and where
they end.
And so you could probably identify them that way.
So it seems pretty challenging to do that.
Right.
So my recommendations were based on the average trip length.
And so you want a certificate that lasts no longer than half your average trip length.
And there's a lot of discussion about when you start transmitting, if you want to do
it, like, at the point where the power door locks engage.
So you don't know exactly quite where they started, but you do get that information as
soon as it's necessary.
So there's a lot of thought that's going into at what points.
Like, my recommendation also was not to have fixed periods, but rather have a plus or minus
and have a little randomness in there so that they can't set up listening stations to track
you as you leave their store.
That sort of thing.
My thought is a big box store wants to know if you left and went to another store.
To their competitor.
Or where did you go when you left their store?
Or where have you been before you came?
So, yeah, the idea that having a flexible length and minimum of half the average trip size.
Or maximum.
Great.
Thanks.
Hi.
Hi.
This was focused mainly on emerging DSRC.
And my question is, how much are you or are you involved in, you know, the
some of the other things that are emerging right now coming out of industry?
Like, for example, telematics Detroit.
Are you familiar with that?
I'm not really engaged in any of the other automotive control systems.
My specialty is privacy.
And so I look at privacy in a variety of embedded devices.
Automotive privacy is very interesting to me mostly because even more than your cell
phone, which is my previous research.
Even more than your cell phone, your vehicle tells where you've been, where you're going.
And it tells a lot about you, who you associate with, and where you spend your time.
It says a lot about you.
And so it's critical that neither the government nor the advertisers take that information
from you without your consent.
In that case, I would point you to telematics Detroit.
If you Google that, the session abstract for every session of that conference is essentially
Oh, I'm aware of that.
That conference.
We're going to split up all the data in the car.
So thank you.
Yeah.
Yeah.
I had two questions.
The first one was
Closer to the mic?
Huh?
Closer.
Oh, sorry.
I had two questions.
The first one was, what sorts of displays would be, would be, would be used to monitor
what would we be looking at as far as, like, getting the driver information?
And the second question was, would there be any drawbacks to, like, the certificates changing
before the trip has ended as far as, like, safety?
Okay.
First, here's an example of the display they have in mind.
This is one of several different things they've been toying around with.
They have a small display in the center of the dash.
They've also talked about putting lights in various places in the cockpit.
And there's a lot of human interaction research that's done on what kinds of displays that
they're working on with this.
And everybody has a little bit different idea.
What was your second question?
Is there any drawbacks to having the certificates change before the trip is completed?
Like, you have one car driving and it's one car to the car.
And then, like, instantly it just changes to another car or something like that?
Persistence of vision.
Cars can do it, too.
The cars around you don't get confused when the certificate changes.
In fact, you wouldn't even notice.
One of the concerns about changing certificates is, well, if you were to be followed, then
they would be able to track the certificate changes.
But if you were to be followed, then you're being followed.
So the real interest is in just the persistence at the point of change.
And that shouldn't be a problem because what the system does is it takes the packet, validates
it, and then strips the certificate off.
And so all the processing is done once the packet's been validated.
So it really shouldn't change anything at all.
Okay?
Okay.
Is this system supposed to be operating internationally?
Yes.
And if yes, then how is the foreign certificate of validation?
The European bandwidth that is available is the same as the bandwidth in the United States.
And they plan to implement the same radios, the same protocols in Europe as in the United
States.
The only difference is in Japan, where that bandwidth is not available.
It's the spectrum has been allocated elsewhere.
So that's kind of where it is.
The automakers that are working on this, European, I worked with three European, three American,
and three Japanese automakers, and they were adamant about having the exact same system
in the U.S. and in Europe.
What about certificate authorities?
CES.
That's a really good question. And when you start crossing international borders, the
government piece of the three interests changes. And there will be all sorts of interesting
wrangling in that respect. That's a very good point.
The gentleman from the ITS RDE described this as a prototype system. You described the user
interface as still very much under development. Earlier in the talk you mentioned this was
expected to ship on high end automobiles for the 2014 model year. Those are on the lot
now. And 2015 cars you were thinking about that maybe being a mandate. That's a very
good point. That seems contradictory to me. Can you explain where we're at in the development
cycle and how close we really are to having these on the road?
I don't know the stuff on the lot right now. I don't follow model years. As I mentioned,
my specialty is privacy rather than ‑‑ I do know that they were working ‑‑ when
I spoke with them around this time last night.
It was August. I wasn't able to come to DEF CON because I was working on this project.
When I was speaking with them that last August, they were talking about already having radios.
And I actually got to put my hands on some. And they already had the radios. They already
were trying to get them in the cars. And so that's the best information I have. When I
say high end, I mean the BMWs.
I would say the BMWs are the ones that are just getting started.
So I'm going to go ahead and go ahead and you can see I just went through the
So I've been told.
It's the Ruth Bader Ginsburg campaign.
You have to expect there's going to be a lot of people on the street watching you and
you have to go behind the wheel to tell you about it.
But I would say that we are in a very, very competitive and comfortable environment
right now and we want to be a part of the conversation but it's so much bigger than in
our city.
That's a very clear statement.
Seeing a lot of people.
scary to me. I mean, if I'm used to, to use your example, BMW and then I go and rent a Cadillac
and the system is different, I'm not used to the warning systems. I'm sure lawyers would love to
argue liability over that. Well, the liability of not responding to a warning system is what
you're talking about there. And that's a really interesting point that I don't think anybody else
has discussed. But yeah, to argue the liability for not responding, that would be an interesting
argument because the situation you would be in there would be that somebody was driving
erratically and it was the duty of the person who was not driving erratically to heed the warnings
and get out of their way. So that's the only situation where the liability would be at issue.
Thank you.
Okay. We're done. Okay. Thank you all very much.
